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IEEE 802.11 Wireless Local Area 
Networks (RF-LANs) 



Wireless? 


A wireless LAN or WLAN is a wireless local 
area network that uses radio waves as its 
carrier. 

The last link with the users is wireless, to give 
a network connection to all users in a building 
or campus. 

The backbone network usually uses cables 


Types of Wireless LANs 

Infrastructure 

Ad-hoc 





Common Topologies 

(Infrastructure) The wireless LAN connects to a wired LAN 


• There is a need of an access point that bridges wireless LAN traffic 
into the wired LAN. 

• The access point (AP) can also act as a repeater for wireless nodes, 
effectively doubling the maximum possible distance between 
nodes. 


Network Infrastructure 















































Common Topologies 

(Ad hoc) Complete Wireless Networks 

• The physical size of the network is determined by the maximum reliable 
propagation range of the radio signals. 

• Referred to as ad hoc networks 

• Are self-organizing networks without any centralized control 

• Suited for temporary situations such as meetings and conferences. 





Integration With Existing Networks 


• Wireless Access Points (APs) - a small device 
that bridges wireless traffic to your network. 

• Most access points bridge wireless LANs into 
Ethernet networks, but Token-Ring options are 
available as well. 



Integration With Existing Networks 


Wireless Protocols 


Mobile 


Server 











How are WLANs Different? 


They use specialized physical and data link protocols 

They integrate into existing networks through access 
points which provide a bridging function 

They let you stay connected as you roam from one 
coverage area to another 

They have unique security considerations 

They require different hardware 

They offer performance that differs from wired LANs. 



Physical and Data Link Layers 


Physical Layer: 

• The wireless NIC takes frames of data from 
the link layer, scrambles the data in a 
predetermined way, then uses the modified 
data stream to modulate a radio carrier 
signal. 

Data Link Layer: 

• Uses Carriers-Sense-Multiple-Access with 
Collision Avoidance (CSMA/CA). 



Wireless network implementation 

SSID - (Service Set Identifier of the wireless network)-32 
long alfanumeric string identifying the WLAN 

BSS (Basic Service Set) - a network consisting of several 
clients and a wireless Access Point (AP); unique SSID 

ESS (Extended Service Set) - a network consisting of 
several wireless AP; adds mobility, Aps can use different 
SSIDs 





IEEE 802.x LAN standards and TCP/IP model 


The IEEE 802.x LAN standards deal with the Data Link and 
Physical layer of the TCP/IP model. IEEE 802.11 only 
standardizes the physical and medium access control 
layers in wireless network. 
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IEEE 802-series of LAN standards 


IEEE 802(g): Overview & Architecture 

IEEE 802.1 ,M Bridging & Management 

IEEE 802.2 im : Logical Link Control 

IEEE 802.3 ™: CSMA/CD Access Method 

IEEE 802.4 ™: Token-Passing Bus Access 
Method 

IEEE 802.5 ™: Token Ring Access Method 

IEEE 802.6 ™: DQDB Access Method 

IEEE 802.7 ™: Broadband LAN 

IEEE 802.10 ™: Security 

IEEE 802.11 ™: Wireless 

IEEE 802.12 ™: Demand Priority Access 

IEEE 802.16™: Broadband Wireless Metropolitan 
Area Networks 


















What is 802.11? 


A family of wireless LAN (WLAN) specifications 
developed by a working group at the Institute of 
Electrical and Electronic Engineers (IEEE) 

Defines standard for WLANs using the following four 
technologies 

- Frequency Hopping Spread Spectrum (FHSS) 

- Direct Sequence Spread Spectrum (DSSS) 

— Infrared (IR) 

— Orthogonal Frequency Division Multiplexing (OFDM) 

Versions: 802.11a, 802.11b, 802.llg, 802.lie, 

802.Ilf, 802.Hi 


The IEEE802.il and 
supporting LAN Standards 
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802.11 WLANs 


• Media access layer: 

* access to wireless medium 

* authentication & privacy 

* Distributed system: 

_ Association 

- CSMA/CD 

• Physical 

— modulation 

• Frequency hopping 

• Direct sequence 

• Infrared 


Outline 








The 802.11: use five distinct frequency 
ranges: 2.4 GHz, 3.6 GHz, 4.9 GHz, 5 GHz, and 
5.9 GHz bands. Each range is divided into a 
multitude of channels. Countries apply their 
own regulations to the allowable channels, 
allowed users and maximum power levels 
within these frequency ranges. 


802.11 WLAN technologies 

• IEEE 802.11 standards and rates 

- IEEE 802.11 (1997) 1 Mbps and 2 Mbps (2.4 GHz band ) 

- IEEE 802.11b (1999) 11 Mbps (2.4 GHz band) = Wi-Fi 

- IEEE 802.11a (1999) 6, 9, 12, 18, 24, 36, 48, 54 Mbps (5 GHz 
band) 

- IEEE 802.llg (2001... 2003) up to 54 Mbps (2.4 GHz) backward 
compatible to 802.11b 

* IEEE 802.11 networks work on license free industrial, science, 
medicine (ISM) bands: 


26 MHz 83.5 MHz 200 MHz 255 MHz 



902 928 2400 2484 5150 5350 5470 5725 f/MHz 

EIRP power _„ 100 mW 200 mW 1W 

in Finland 


EIRP: Effective Isotropically Radiated Power - radiated power measured immediately after antenna 
Equipment technical requirements for radio frequency usage defined in ETS 300 328 


















802.11 LAN architecture 


Internet 



BSS 

1 



hub, switch 
or router 
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□ wireless host communicates 
with base station 

o base station = access point 
(AP) 

□ Basic Service Set (BSS) (aka 
“cell”) in infrastructure mode 
contains: 

o wireless hosts 

o access point (AP): base 
station 

o ad hoc mode: hosts only 


BSS 2 
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IEEE 802.11 Architecture 


• IEEE 802.11 defines the physical (PHY), and media access control (MAC) layers 
for a wireless local area network 


802.11 networks can work as 

- basic service set (BSS) 

- extended service set (ESS) 
BSS can also be used in ad-hoc 


MAC 


FHSS DSSS m PHY 


networking 


LLC: Logical Link Control Layer 

MAC: Medium Access Control Layer 

PHY: Physical Layer 

FHSS: Frequency hopping SS 

DSSS: Direct sequence SS 

SS: Spread spectrum 

IR: Infrared light 

BSS: Basic Service Set 

ESS: Extended Service Set 

AP: Access Point 

DS: Distribution System 



ad-hoc network 
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Figure 14.1 Basic service sets (BSSs) 


BSS: Basic service set 
AP: Access point 
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Figure 14.2 Extended service sets (ESSs) 
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BSS and ESS 
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Basic (independent) service set (BSS) 


Extended service set (ESS) 


In ESS multiple access points connected by access points and a 
distribution system as Ethernet 

- BSSs partially overlap 

- Physically disjoint BSSs 





Roaming 


Users maintain a continuous connection as they 
roam from one physical area to another 

Mobile nodes automatically register with the new 
access point. 

Methods: DHCP, Mobile IP 


Roaming 

Access point Access point; Access point 




































802.11: Channels, association 


802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels 

at different frequencies 

— AP admin chooses frequency for AP 

— interference possible: channel can be same as that 
chosen by neighboring AP! 

host: must associate with an AP 

— scans channels, listening for beacon frames 
containing AP's name (SSID) and MAC address 

— selects AP to associate with 

— may perform authentication 

— will typically run DHCP to get IP address in AP's 

subnet 624 


802.11 - Transmission 


Most wireless LAN products operate in 
unlicensed radio bands: 

- 2.4 GHz is most popular 

— Available in most parts of the world 

— No need for user licensing 

Most wireless LANs use spread-spectrum 
radio 

- Resistant to interference, secure 

-Two popular methods 

• Frequency Hopping (FH) 

• Direct Sequence (DS) 



Frequency Hopping Vs. Direct Sequence 


FH systems use a radio carrier that "hops" from frequency to 
frequency in a pattern known to both transmitter and receiver 

- Easy to implement 

- Resistance to noise 

- Limited throughput (2-3 Mbps @ 2.4 GHz) 

DS systems use a carrier that remains fixed to a specific 
frequency band. The data signal is spread onto a much larger 
range of frequencies (at a much lower power level) using a 
specific encoding scheme. 

- Much higher throughput than FH (11 Mbps) 

- Better range 

- Less resistant to noise (made up for by redundancy - it transmits at 
least 10 fully redundant copies of the original signal at the same time) 



802.11a Vs. 802.11b 


802.11a vs. 802.11a 

802.11b 

802.11b 

Raw data rates Up to 54 Mbps 

(54, 48, 36, 24,18, 12 
and 6 Mbps) 

Up to 11 Mbps 
(11, 5.5, 2, and 

1 Mbps) 

Range 50 Meters 

100 Meters 

Bandwidth unii and ism 

(5 GHz range) 

ISM (2.4000— 

2.4835 GHz range) 

Modulation OFDM technology 

DSSS technology 
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Performance 


• 802 . 11 a offers speeds with a theoretically 
maximum rate of 54Mbps in the 5 GHz band 

• 802 . 11 b offers speeds with a theoretically 
maximum rate of 11Mbps at in the 2.4 GHz 
spectrum band 

• 802 .llg is a new standard for data rates of up 
to a theoretical maximum of 54 Mbps at 2.4 
GHz. 



IEEE 802.11: multiple access 

• Avoid collisions: 2 nodes transmitting at same time 

• 802.11: CSMA - sense before transmitting 

— don't collide with ongoing transmission by other node 

• 802.11: no collision detection! 

• Over a wired medium like an Ethernet cable it is possible to detect 
a collision (CD) by measuring the power level on the medium 
itself. Measuring the power level in a RF environment is not 
possible with the precision required to detect a packet collision 
and therefore CD is not possible. 

• difficult to receive (sense collisions) when transmitting due to 
weak received signals (fading) 

— can't sense all collisions in any case: hidden terminal, fading 

— goal: avoid collisions: CSMA/C(ollision)A(voidance) 
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Collision avoidance mechanisms 


• Problem: 

- two nodes, hidden from each other, transmit complete frames to 
base station 

- wasted bandwidth for long duration ! 

• Solution: 

• The fundamental concept in 802.11 MAC to avoid collision is to delay the 
transmission until medium becomes idle. 

- small reservation packets 

- nodes track reservation interval with internal ''network allocation 
vector" (NAV) 



(a) 


(b) 
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Figure 14.10 Hidden station problem 



B and C are hidden from each other with respect to A. 
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Avoiding collisions (more) 


idea: allow sender to '"reserve" channel rather than random access of 
data frames: avoid collisions of long data frames 

• sender first transmits small request-to-send (RTS) packets to BS using 
CSMA 

- RTSs may still collide with each other (but they're short) 

• BS broadcasts clear-to-send CTS in response to RTS 

• CTS heard by all nodes 

- sender transmits data frame 

- other stations defer transmissions 


avoid data frame collisions completely 
using small reservation packets! 
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Note 

The CTS frame in CSMA/CA handshake can prevent collision 

from 

a hidden station. 
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Figure 14.11 Use of handshaking to prevent hidden station problem 
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Collision Avoidance: RTS-CTS exchange 
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Collision Avoidance: RTS-CTS exchange 

• RTS and CTS short: 

— collisions less likely, of shorter duration 

— end result similar to collision detection 

• IEEE 802.11 allows: 

— CSMA 

— CSMA/CA: reservations 

— polling from AP 
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802.11 frame: addressing 


6 6 6 2 6 0-2312 4 


frame 

control 


duration 


address 

1 


address 

2 


address 

3 


sec l address 
control 4 


payload 


CRC 



Address 1: MAC address 
of wireless host or AP 
to receive this frame 



Address 4: used only in 
ad hoc mode 


Address 3: MAC address 
of router interface to which 
AP is attached 


Address 2: MAC address 
of wireless host or AP 
transmitting this frame 


■NOTE: This frame structure is common for all data send by a 
802.11 station 
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802.11 frame: addressing 
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Table 14.4 Physical layers 


IEEE 

Technique 

Band 

Modulation 

Rate (Mbps) 

802.11 

FHSS 

2.4 GHz 

FSK 

1 and 2 

DSSS 

2.4 GHz 

PSK 

1 and 2 


Infrared 

PPM 

1 and 2 

802.11a 

OFDM 

5.725 GHz 

PSK or QAM 

6 to 54 

802.11b 

DSSS 

2.4 GHz 

PSK 

5.5 and 11 

802.1 lg 

OFDM 

2.4 GHz 

Different 

22 and 54 
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Security 


The IEEE 802.11 standard specifies 
optional security called "Wired Equivalent 
Privacy" whose goal is that a wireless LAN 
offer privacy equivalent to that offered by 
a wired LAN. The standard also specifies 
optional authentication measures. 



802.11b: Built in Security Features 


Service Set Identifier (SSID) 

Differentiates one access point from another 

SSID is cast in 'beacon frames' every few 
seconds. 

Beacon frames are in plain text! 



Associating with the AP 

Access points have two ways of initiating 
communication with a client 

Shared Key or Open Key authentication 

Open key: need to supply the correct SSID 
— Allow anyone to start a conversation with the AP 

Shared Key is supposed to add an extra layer 
of security by requiring authentication info as 
soon as one associates 



Authentication and privacy 


Goal: to prevent unauthorized access & eavesdropping 
Realized by authentication service prior access 
Open system authentication 

- station wanting to authenticate sends authentication management 
frame - receiving station sends back frame for successful 
authentication 

Shared key authentication (included in WEP*) 

- Secret, shared key received by all stations by a separate, 802.11 
independent channel 

- Stations authenticate by a shared knowledge of the key properties 
WEP's privacy (blocking out eavesdropping) is based on ciphering: 

Key Key 


Plain Text 

Encryption 

Cipher Text 

Decryption 

Plain Text 
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*WEP: Wired Equivalent Privacy 











Open System Authentication (OSA) 


Open System Authentication (OSA) is a process by which a 
computer can gain access to a wireless network that uses 
the Wired Equivalent Privacy WEP protocol. 

With OSA, a computer equipped with a wireless modem 
can access any WEP network and receive files that are 
not encrypted . 

For OSA to work, the service set identifier ( SSID ) of the 
computer should match the SSID of the wireless access 
point . The SSID is a sequence of characters that uniquely 
names a wireless local area network ( WLAN ). The process 
occurs in three steps: 







l.Open System Authentication 


Establishing the IEEE 802.11 association with no 
authentication 


STA 

Probe Request 


Probe Response 


◄— 

Open System Authentication Request 


(STA Identity) 


Open System Authentication Response 


Association Request 

◄— 

► 

Association Response 


APSTA 


► 


CN8816: Network Security 
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First, the computer sends a request for authentication to the 
access point. 

Then the access point generates an authentication code, 
usually at random, intended for use only during that session . 

Finally, the computer accepts the authentication code and 
becomes part of the network as long as the session continues 
and the computer remains within range of the original access 
point. 

If it is necessary to exchange encrypted data between a WEP 
network access point and a wireless-equipped computer, a 
stronger authentication process called Shared Key 
Authentication ( SKA ) is required. 





How Shared Key Auth. works 


Client begins by sending an association 
request to the AP. 

AP responds with a challenge text 

(unencrypted) 

Client, using the proper WEP key, encrypts 
text and sends it back to the AP 

If properly encrypted, AP allows 

communication with the client 



2. Wired Equivalent Privacy (WEP) 


■ WEP uses shared key authentication 


Shared Key Authentication (1) 



(STA Identity) 

Shared Key Authentication (2) 

-► 


Challenge 

Encrypted(Shared Key Authentication (3) 



Response) 

Shared Key Authentication (4) 



(Success/Failure) 


◄- 
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-► 


STA 


APSTA 


Probe Request & Probe Response 
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802.11b Security Features 


Wired Equivalent Privacy (WEP) - A protocol to 
protect link-level data during wireless transmission 
between clients and access points. 

Services: 

— Authentication: provides access control to the network by 
denying access to client stations that fail to authenticate 
properly. 

— Confidentiality: intends to prevent information 
compromise from casual eavesdropping 

— Integrity: prevents messages from being modified while in 
transit between the wireless client and the access point. 



Wired Equivalent Protocol (WEP) 

Primary built security for 802.11 protocol 

Uses 40bits to 128bits RC4 encryption 

RC4 symmetric key, stream cipher algorithm to 
generate a pseudo random data sequence. The stream 
is XORed with the data to be transmitted 

Unfortunately, since ratification of the 802.11 
standard, RC4 has been proven insecure, leaving the 
802.11 protocol wide open for attack 




2. Wired Equivalent Privacy (WEP) 


■ WEP Encryption uses RC4 stream cipher 



Integrity Check Value (ICY) 
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Data Integrity 


Data integrity is ensured by a simple 
encrypted version of CRC (Cyclic Redundant 
Check) 



2. Wired Equivalent Privacy (WEP) 


■ Several major problems in WEP security 

■ The IV used to produce the RC4 stream is only 24-bit long 

■ The short IV field means that the same RC4 stream will be 
used to encrypt different texts - IV collision 

■ Statistical attacks can be used to recover the plaintexts 
due to IV collision 

■ The CRC-32 checksum can be easily manipulated to produce 
a valid integrity check value (ICV) for a false message 
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